Card skimmer crew suspected of infecting nearly 200 e-commerce sites

An investigation into the abuse of the Magecart JavaScript skimmer to compromise hundreds of e-commerce websites has led to the arrest of three suspects in Indonesia.

The as-yet unnamed suspects allegedly ran command and control (C2) servers associated with a Magecart skimming operation in Indonesia to harvest payment card details before using the stolen information to purchase and resell electronic goods and other luxury items.

Night Fury

The arrest by local police came as part of Operation Night Fury, an intelligence-led operation run by Interpol and focused on Southeast Asia. Investigators detected C2 servers and compromised websites located in six countries in the Association of Southeast Asian Nations (ASEAN) region.

“Data provided to Interpol through a partnership with cybersecurity firm Group-IB on the scope and range of this malware helped identify hundreds of infected e-commerce websites worldwide,” a statement by Interpol on the ongoing operation explains.

“Group-IB also supported the investigation with digital forensics expertise helping to identify the suspects.”

The Indonesian suspects – aged 23, 37, and 35 – were arrested in December and charged with the theft of electronic data prior to a press conference organized by the Indonesian Cyber Police that announced their arrests on Monday (January 27).

In Singapore, authorities have identified and taken down two Magecart-linked C2 servers as part of the ongoing operation, which aims to identify cybercrime infrastructure as well as other suspected cybercriminals.

GetBilling, or die trying

Group-IB said it has been tracking what it refers to as the ‘GetBilling JS-sniffer’ family since 2018. An analysis of infrastructure controlled by the suspected operators of GetBilling revealed that they had managed to infect nearly 200 websites across five continents.

“The suspects have managed to infect hundreds of e-commerce websites in various locations, including in Indonesia, Australia, the United Kingdom, the United States, Germany, Brazil, and some other countries,” a blog post by Group-IB on its role in Operation Night Fury explains.

“Payment and personal data of thousands of online shoppers from Asia, Europe, and the Americas have been stolen.”

To pay for hosting services and buy new domains, the gang members only used stolen cards. In addition, they always used VPNs to hide their real location and identity in accessing malware control servers and repositories of stolen data, according to Group-IB.

Group-IB spokesman Sergei Turner told The Daily Swig that long-term analysis of the group’s tactics and techniques rather than OpSec mistakes allowed it and its law enforcement partners to identify likely suspects.

LISTEN NOW SwigCast, Episode 4: MAGECART

“We have been tracking the infrastructure related to different families of JS-sniffers for quite a while. And GetBilling was one of the families described in Group-IB’s 2019 report Crime Without Punishment which is a deep dive into the world of JS-sniffers,” Turner explained.

“So this was not due to the mistakes they made, but thanks to the knowledge of their infrastructures, and unique parts of the code they used on their [C2 servers] allowed to establish the real identities.

“Another important factor which led to their undoing [was the] timely threat intelligence sharing and effective multi-jurisdictional coordination of efforts between Indonesia’s Cyber Police, Interpol, and Group-IB. It is also important to note, that the operation is still ongoing in other five ASEAN countries,” he added.

Group-IB argues that it’s more accurate to talk about families of JS-Sniffers rather than Magecart – an umbrella term for the expanding number of groups using the increasingly popular cybercrime tactic.

Skimming cart

Magecart has become a scourge of internet security over the last three years or so, with multiple threat groups using the approach to hack into e-commerce websites and steal payment card details.

The arrests in Indonesia, while welcome, will barely put a dint in this widespread malfeasance.

“This group had a serious impact on global e-commerce security in recent years, by skimming at least 571 hacked stores. However, they were responsible for just 1% of all Magecart incidents since 2017,” according to payment security firm Sanguine Security, which estimates between 40 to 50 other sophisticated cybercriminals are involved in web-skimming activity.

Viktor Okorokov, threat intelligence analyst at Group-IB, agreed that the cybercrime tactic is growing.

“The number of attacks is growing as well as the number of JS-Sniffers families," Okorokov said.

“At the time of Group-IB’s report publication in 2019, in total our threat Intelligence team discovered 38 families of JS-sniffers. Ever since, the number of JS-sniffer families discovered by the company has almost doubled and continues to grow.”

“The reason for this is that most of e-commerce website still do not have cybersecurity policies in place, nor they carry out regular cybersecurity assessments or implement basic cyber hygiene, such as timely software updates, which makes them easy targets for cybercriminals,” he added.

YOU MIGHT ALSO LIKE Online tools help consumer protect against Magecart